Transcription

1 Glossary: VPA = Virtual Private ARCHIBUS restriction SSO = Single Sign-On LDAP = Lightweight Directory Access Protocol WebCentral = ARCHIBUS Core Engine IIS = Internet Information Services (IIS, formerly Internet Information Server) is an extensible web server created by Microsoft SS = Security Service 1.1 ARCHIBUS System Security There are more security levels in ARCHIBUS, as described bellow ARCHIBUS Web Central Security Covers the Spring Security framework used by Web Central. Those methods are applied to WebCentral applications. The Authentication methods are: 1. ARCHIBUS Security 2. Single Sign-On (SSO) 3. LDAP 4. Mixed Case: SSO + ARCHIBUS Security or LDAP 1. ARCHIBUS Security The default scenario, which uses ARCHIBUS security and Web Central as the authentication server. The security service: a) Presents a login dialog. b) Receives the request with the login credentials (Username and password). c) Loads the UserAccount object from a record in the afm_users table for a given Username. d) Compares the password against the property of the UserAccount (authentication). e) Uses the UserAccount properties (security groups, security groups from the user role, VPAs) for the authorization. The password can be stored in authentication repository in clear text or encrypted. It can be encrypted using the older ARCHIBUS format, the newer ARCHIBUS format (PasswordEncoderVersion2Impl), or some other encoding (such as MD5 or SHA).

2 2. Single Sign-On (SSO) In this scenario, the site uses an external authentication server to manage passwords. All Web Central requests are routed to this external single-sign on server for authentication. The Essential SSO Sequence : 1. The Web Server/Application Server receives a request for the Web Central resource. 2. The SSO server authenticates the user. 3. The Web Server/Application Server inserts the SSO Username into the request header, and forwards the request to Web Central. For example, the IIS filter gets Username for the remote user, and inserts this value as the remote user value so that in Tomcat HttpServletRequest.getRemoteUser() will return the Username. 4. The security service loads the UserAccount object from a record in afm_users table for a given Username. 5. The security service uses the UserAccount properties (security groups and VPAs) for the authorization. Project ID Options : Option: projectid (such as the project name in afm-projects.xml) can be specified in the request header or in the property file. The specified project will be used as context. Retrieving the Username from the Request The Security service gets the Username from the request. It can do so: from the request header from a cookie from HttpServletRequest.getRemoteUser() from the request parameter Mapping SSO Users to ARCHIBUS Users The use cases for mapping SSO users to ARCHIBUS user accounts within the security service (SS) are these: SSO Username is used as SS Username (one-to-one). All SSO Usernames are mapped to single SS Username (many-to-one). SSO Usernames are mapped to SS Usernames (one-to-one). The site would need to implement synchronization (one-way) of LDAP usernames with afm_users usernames SSO Usernames are mapped to SS Usernames (one-to-one). If there is no matching SS Username, use Guest Username. o The mapping can happen in the Web Server/Application Server, or in the SS. o Example of the mapping in Web Server/Application Server: IIS filter gets Username for remote user, calls LDAP server with SSO Username and password, LDAP server

3 authenticates the SSO user credentials, and returns the SS Username for the given SSO Username. o IIS filter inserts the SS Username as remote user value into the request header. o Example of the mapping in SS: SS gets SSO Username from the request, calls LDAP server with SSO Username and password, LDAP server authenticates the SSO user credentials, and returns the SS Username for the given SSO Username. 3. LDAP The Essential LDAP Scenario : In this scenario, user credentials are kept in an LDAP server external to Web Central. The security service: 1. Presents the login dialog. 2. Receives the request with the login credentials (Username and password). 3. Calls the LDAP server with the Username and password, LDAP server authenticates the user credentials. 4. Loads the UserAccount object from a record in afm_users table for a given Username. 5. Uses the UserAccount properties (security groups, VPAs) for the authorization. Note: The LDAP configurations are compatible with any LDAP server; however, ARCHIBUS has not tested LDAP configurations with non-ad servers. There are three Active Directory authentication scenarios provided for Web Central.

4 One-to-One Configuration In this configuration, Active Directory (AD) users are mapped to their own unique ARCHIBUS identity. For instance, BIGUNIV\smith is mapped to the smith ARCHIBUS user, and BIGUNIV\davies is mapped to the davies ARCHIBUS user. Many-to-One Configuration In this configuration, all Active Directory (AD) authenticated users become one Web Central common/shared user. As an example, AD users BIGUNIV\smith and BIGUNIV\davies will both become a common/shared user on Web Central. By default both users will become the AFM user. Authority-by-Prefix Configuration In this configuration, Active Directory (AD) users are mapped to a common/shared user in Web Central according to their LDAP Group assignments. 4. Mixed Case: SSO + ARCHIBUS Security or LDAP Multiple Authentication Types Required Some users use computers that belong to the domain, so they are already authenticated by the SSO server. Other users use computers outside of the domain, so they are not authenticated by the SSO server. These two categories of users are mapped to different instances of Web Central. The two instances of Web Central use the clustered set of application servers feature of Web Central. This avoids license file copying. The domain users use Web Central instance configured for SSO. The users outside of the domain use Web Central instance configured for ARCHIBUS security or LDAP. That instance has to use secure HTTP channel, if the domain username and password (LDAP) will be transmitted over this channel ARCHIBUS hierarchical security Hierarchical security is applied on Windows applications and on web applications too. This security level is a refinement to the regular security group codes and further controls access to columns of data (fields). It adds a flexible system for organizing security access into hierarchies so that the application security organization can reflect the structure of your organization. It also gives you the ability to aggregate security groups into

5 roles so that all of the permissions that each type of staff member needs to execute their mission can be assigned in one step. Hierarchical security enables you to assign roles access to domain, activity, or functional role tasks in one step. The roles can then be assigned to users. This makes it possible for large numbers of schema elements (e.g. fields, tasks) to be aggregated according to function. It also means that these aggregates can be assigned in powerful and flexible ways. Hierarchical security regroups the ARCHIBUS tasks and fields into roles and groups. Implementing security becomes a matter of deciding how roles at your site differ from the standard. For instance, do your CIOs also want to see all of the review-level detail? If so, add the %rev% group to their role along with the %cio group. Two key goals of hierarchical security are: Reduce the number of groups that a site needs to define and maintain. Ship a default security schema that needs minimal modification for use at end-user sites. Roles and Groups Hierarchical security for group codes covers most of the distance to achieving these goals, with roles and VPAs giving sites the flexibility to further combine and map these security groups according to their own needs. Roles Roles correspond to the types of users (and therefore the types of access each user needs). Each role is like a key ring giving access to a select set of areas of the application. Roles can include parameters controlling menu access, row access (VPA), and column access (security groups and hierarchical security groups). Groups If a role is like a key ring, the individual groups are the keys. These keys can grant access to Navigator items, Hotlist items, processes on the Process Navigator, and edit and review rights on individual fields. You assign groups to roles to assemble the selection of keys or rights that that role should have. You can also assign groups to individual users, but you should favor assigning them to roles, since this method reduces the amount of security administration you need. You can use regular groups (which must match exactly) or hierarchical groups. Hierarchical groups act like a hierarchy of master keys, with each master being able to open an entire set of related doors. Just as with physical keys, using these "master keys" or hierarchical groups can greatly reduce the

6 number of groups you need to define, maintain, and assign. Users At sites using security, users are those allowed to log in to the system. When they log in, users are granted the rights associated with their role. They may have other per-user settings, such as a VPA restriction. Processes If your site is using the Process Navigator interface, each user may be assigned one or more processes (e.g. the Craftsperson or the Supervisor process). These determine what role-specific tasks appear on your Process Navigator menu when you log in Virtual private ARCHIBUS This security level is applied on Windows applications and on web applications. This is an extension of application security that controls access to rows of data (records). With this, you can partition your entire database by region, division, or organization, yet keep all of your data in one central database with a common set of rollup or validating codes. The Virtual Private ARCHIBUS restriction is like a view-to-view restriction you set on a table in one view (e.g. "bl.bl_id LIKE HQ%"), that is to be applied to all subsequent views that get loaded in that session. However: It is defined on a per-role basis and is initialized and added to each user s profile on login. It is established when the user logs into the database and remains for the duration of the session. It applies to the Select Values dialog as well as to the view. It applies to the Drawing List in both ARCHIBUS and the Overlay (hence you don't see drawings managed by other sites). It can be set globally on all similar tables or fields with a single statement. It cannot be cleared with the Clear Restriction command. Note: VPA applies to the data retrieved by the program, but not to the calculations or actions. For instance, if a staff member runs the recalculate chargeback task, it recalculates for all data. Note: If more than one VPA restriction is specified, the restrictions will be joined with an "AND". ARCHIBUS uses two types of VPA restrictions: Default Site and Building Code VPA Restrictions in the A/FM Users Table. Most sites establish VPA restrictions based on geographic responsibilities. For this usage, ARCHIBUS has a short-hand for specifying the VPA restriction. In the A/FM Users table, you enter the comma-delimited list of Building Codes or Site Codes to which each user should have access.

7 This feature is useful for implementations that have dozens, or even hundreds, of sites and buildings to manage data access for. Default VPA Rules When you enter values in the Building Code List or Site Code List of the A/FM Users table, the program uses the following rules in establishing the VPA restriction. List Items. List Items add a WHERE IN clause: o HQ will add the clause ( bl_id IN ( HQ )) o JFK-A, JFK-B will add the clause ( bl_id IN ( JFK-A, JFK-B )) Nulls. NULL will add an IS NULL clause: o NULL will add the clause ( bl_id IS NULL ) Wildcards. Items with wildcards will add a LIKE clause: o HQ% will add the clause ( bl_id LIKE HQ%") Compound Conditions. Multiple conditions will be OR ed together: o NULL,HQ%, JFK-A, JFK-B o will add the clause o (( bl_id IS NULL ) OR ( bl_id LIKE HQ%") OR ( bl_id IN ( JFK-A, JFK-B ))) Table and Field Names. Table and field names will be replaced as appropriate for the table. For instance, the validated "Building Code" fields in the in the Move Order table would be mo.bl_id_from and mo.bl_id_to. Building and Site Restrictions. Restrictions on the Building Code List and restrictions on the Site Code List are AND ed together. This is because they are actually separate VPA restrictions, and all separate VPA restrictions are AND ed. Default VPA Details -- The default VPA restriction establishes a validating table VPA on the Buildings table and/or on the Sites table. VPA Restrictions Entered in the A/FM Roles Table The role is then assigned to a user. You specify VPAs per-role, that is, in the A/FM Roles table. There are a number of options to VPAs that are summarized below. The use of these options will become clearer in the examples in the How to procedures listed below: A/FM Role VPA Restriction Format When specifying a restriction in the VPA Restriction field of the A/FM Roles table you use an XML format. The VPA has three forms: A restriction with type sql specific to a particular table. This is used when the restriction is on a single table, the restriction must compound restrictions using OR, or the restriction must relate tables (and so must state the tablename qualifier and field names explicitly). A restriction with type ForValidatedTables template for a restriction that can be expanded for all tables with a given name or that hold fields that validate on the table with the given name. This is the most common form of VPA restriction. A restriction with type ForFields template for a restriction that can be expanded for all fields with a given name. This is typically used for "generic" restrictions on non-validated fields, such as the tc_service enumeration field.

CHAPTER 4 This chapter describes how Cisco Identity Services Engine (ISE) manages its network identities and access to its resources using role-based access control policies, permissions, and settings.

Jet Data Manager 2012 User Guide Welcome This documentation provides descriptions of the concepts and features of the Jet Data Manager and how to use with them. With the Jet Data Manager you can transform

USING MYWEBSQL MyWebSQL is a database web administration tool that will be used during LIS 458 & CS 333. This document will provide the basic steps for you to become familiar with the application. 1. To

CA Nimsoft Service Desk Single Sign-On Configuration Guide 6.2.6 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation

CHAPTER 4 Sponsors are the people who use Cisco NAC Guest Server to create guest accounts. Sponsor authentication authenticates sponsor users to the Sponsor interface of the Guest Server. There are five

Configuring and Using the TMM with LDAP / Active Lenovo ThinkServer April 27, 2012 Version 1.0 Contents Configuring and using the TMM with LDAP / Active... 3 Configuring the TMM to use LDAP... 3 Configuring

CHAPTER 8 This chapter presents example procedures for configuring SSO for WebVPN users. It includes the following sections: Using Single Sign-on with WebVPN, page 8-1 Configuring SSO Authentication Using

User Management Resource Administrator Managing LDAP directory services with UMRA Copyright 2005, Tools4Ever B.V. All rights reserved. No part of the contents of this user guide may be reproduced or transmitted

How to Secure a Groove Manager Web Site Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations,

TECHNICAL PAPER Smartcard Integration Netop develops and sells software solutions that enable swift, secure and seamless transfer of video, screens, sounds and data between two or more computers over the

Platform IT Brief This IT brief outlines features of the system: Communication security, load balancing and failover, authentication options, and recommended practices for licenses and access. It primarily

Webthority HOW TO Use Enterprise SSO as the Credential Server for Protected Sites This document describes how to integrate Webthority with Enterprise SSO version 8.0.2 or 8.0.3. Webthority can be configured

BEST PRACTICES EMAIL ARCHIVE in contentaccess version 2.5 Use case: Email Archive configuration for companies with up to 2,000 mailboxes This document gives you an overview how to configure email archive

Application Version 3.7.5 Confidentiality This document contains confidential material that is proprietary WatchDox. The information and ideas herein may not be disclosed to any unauthorized individuals

Xerox DocuShare Security Features Security White Paper Xerox DocuShare Security Features Businesses are increasingly concerned with protecting the security of their networks. Any application added to a

Chapter 3 Authenticating Users Remote users connecting to the SSL VPN Concentrator must be authenticated before being allowed to access the network. The login window presented to the user requires three

Deploying CTERA Agent via Microsoft Active Directory and Single Sign On Cloud Attached Storage September 2015 Version 5.0 Copyright 2009-2015 CTERA Networks Ltd. All rights reserved. No part of this document

SECURITY AND AUDITABILITY WITH SAGE ERP X3 Introduction An ERP contains usually a huge set of data concerning all the activities of a company or a group a company. As some of them are sensitive information

How SSO Works in WhosOnLocation About Single Sign-on By default, your administrators and users are authenticated and logged in using WhosOnLocation s user authentication. You can however bypass this and

ADO and SQL Server Security Security is a growing concern in the Internet/intranet development community. It is a constant trade off between access to services and data, and protection of those services

KMx Enterprise: Integration Overview for Member Account Synchronization and Single Signon KMx Enterprise includes two api s for integrating user accounts with an external directory of employee or other

SyncThru Database Migration Overview Database Migration for SyncThru application is an intuitive tool that enables the data stored in the database of an older version of SyncThru, to be moved to the database

Denodo Data Virtualization Security Architecture & Protocols XLS Security Architecture & Protocols We include hereinafter a description of the security support in the Denodo Platform. The following diagram

MIGRATING TO AVALANCHE 5.0 WITH MS SQL SERVER This document provides instructions for migrating to Avalanche 5.0 from an installation of Avalanche MC 4.6 or newer using MS SQL Server 2005. You can continue

Integrating LANGuardian with Active Directory 01 February 2012 This document describes how to integrate LANGuardian with Microsoft Windows Server and Active Directory. Overview With the optional Identity

White Paper Collaboration Taking Advantage of Active Directory Support in GroupWise 2014 Flexibility and interoperability have always been hallmarks for Novell. That s why it should be no surprise that

Table of Contents Table of Contents Getting Started with Pivotal Single Sign-On Adding Users to a Single Sign-On Service Plan Administering Pivotal Single Sign-On Choosing an Application Type 1 2 5 7 10

A d m i n i s t r a t i o n Netop Remote Control Security Server Product Whitepaper ABSTRACT Security is an important factor when choosing a remote support solution for any enterprise. Gone are the days

SAML Single Sign-On T his feature is add-on service available to Enterprise accounts. Are you already using an Identity Provider (IdP) to manage logins and access to the various systems your users need

IGEL Universal Management Installation Guide Important Information Copyright This publication is protected under international copyright laws, with all rights reserved. No part of this manual, including

M-FILES CORPORATION USING FEDERATED AUTHENTICATION WITH M-FILES VERSION 1.0 Abstract This article provides an overview of federated identity management and an introduction on using federated authentication

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide This document is intended to help you get started using WebSpy Vantage Ultimate and the Web Module. For more detailed information, please see

Administration Guide BlackBerry Enterprise Service 12 Version 12.0 Published: 2015-01-16 SWD-20150116150104141 Contents Introduction... 9 About this guide...10 What is BES12?...11 Key features of BES12...

CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is

econtrol 3.5 for Active Directory & Exchange Administrator Guide This Guide Welcome to the econtrol 3.5 for Active Directory and Exchange Administrator Guide. This guide is for system administrators and

IBM SPSS Collaboration and Deployment Services Version 6 Release 0 Single Sign-On Services Developer's Guide Note Before using this information and the product it supports, read the information in Notices

NT Authentication Configuration Guide Version 11 Last Updated: March 2014 Overview of Ad Hoc Security Models Every Ad Hoc instance relies on a security model to determine the authentication process for

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment How To - Implement Clientless Single Sign On Authentication with Active Directory Applicable

IBM Unica emessage Version 8 Release 6 February 13, 2015 Startup and Administrator's Guide Note Before using this information and the product it supports, read the information in Notices on page 83. This

Configuring on Citrix and Terminal Services Servers Document Scope This solutions document describes how to install, configure, and use the SonicWALL Terminal Services Agent (TSA) on a multi-user server,

IBM Campaign Version-independent Integration with IBM Engage Version 1 Release 3 April 8, 2016 Integration Guide IBM Note Before using this information and the product it supports, read the information

QUANTIFY INSTALLATION GUIDE Thank you for putting your trust in Avontus! This guide reviews the process of installing Quantify software. For Quantify system requirement information, please refer to the

HOW TO SILENTLY INSTALL CLOUD LINK REMOTELY WITHOUT SUPERVISION Version 1.1 / Last updated November 2012 INTRODUCTION The Cloud Link for Windows client software is packaged as an MSI (Microsoft Installer)

Revision: This manual has been provided for Version 7.0 (July 2014). Software Version: 7.0 2014 EVault Inc. EVault, A Seagate Company, makes no representations or warranties with respect to the contents